identified in 2014, TheMoon botnet is configured to look for flaws on the
router set up by organizations like ASUS, D-Link, Linksys, and MikroTik. The
proxy botnet had been employed by the botnet operators for a number of reasons;
video advertisement fraud, general traffic obfuscation, and brute force, to
name a few.
malicious intentions of further expanding the botnet, the operators are
expected to constantly scan and look for exploitable services being run on IoT
on successfully detecting a vulnerable device, the botnet is programmed to drop
a shell script which once executed, downloads the initial phases of the
It has been
detected by Security researchers at CenturyLink that the recent module differs
from the previous one in the way that it converts the targeted
device into a SOCKS5 proxy and it allows the botnet operator to offer its proxy
network service to other people.
connecting to TCP port 8002, the person browsing automatically receives a
stream of log messages in association with an advertisement fraud.
from the findings of the CenturyLink report,
six-hour time period from a single server resulted in requests to 19,000 unique
URLs on 2,700 unique domains. After browsing some of the URLs, it was apparent
they all had embedded YouTube videos.”
always-on nature of IoT devices and the ability to masquerade as normal home
users make broadband networks prime targets for these types of attacks,”